apt-key 金鑰管理,apt-secure 原理 驗證鏈 驗證測試

usmile發表於2020-06-02

apt-key

用於管理Debian Linux系統中的軟體包金鑰。每個釋出的deb包,都是通過金鑰認證的,apt-key用來管理金鑰。

  • apt-key list

    列出已儲存在系統中key。包括 /etc/apt/trusted.gpg/etc/apt/trusted.gpg.d/目錄下的金鑰

  • apt-key add <keyname >

    把下載的key新增到本地trusted資料庫中,使用描述性名稱,以gpg或asc作為副檔名

  • apt-key del <keyname>

    從本地trusted資料庫刪除key。

  • apt-key update (棄用,直接刪除和新增)

    更新本地trusted資料庫,刪除過期沒用的key。

  • apt-key adv --recv-key

    下載並新增到受信任金鑰環中(不做任何檢查,有風險)

    http://manpages.ubuntu.com/manpages/bionic/en/man8/apt-key.8.html

目錄、檔案

/var/cache/apt/archives

已經下載到的.deb軟體包都放在這裡(用 apt-get install 安裝軟體時,軟體包的臨時存放路徑)

/var/lib/apt/lists

存放已安裝和未安裝的軟體列表

使用apt-get update命令會從/etc/apt/sources.list指定的源更新軟體列表,並儲存到該目錄

/etc/apt

sources.list 官方軟體源地址(配置為阿里源)

souces.list.d 目錄下是第三方軟體源地址,裡面的檔案必須以.list結尾

https://askubuntu.com/a/82844

/etc/apt

trusted.gpg: local trusted keys, new keys will be added here

trusted.gpg.d:additional keyrings can be stored here (by other packages or the administrator)

/usr/bin/

通過 apt 安裝的軟體,命令存放在 /usr/bin/ 目錄下

apt-secure

參考

http://manpages.ubuntu.com/manpages/bionic/en/man8/apt-secure.8.html

SecureApt

基礎元素

Release 檔案

Release檔案包含分發後設資料和索引檔案的校驗值

apt 要求隨 Release 檔案一起釋出一個 Relesase.gpg 的簽名檔案,用來驗證安裝包提供者的資訊

InRelease 檔案

InRelease檔案內聯gpg簽名(資料和簽名在一個 InRelease 檔案中)

lfp@legion:/var/lib/apt/lists$ ls
...
# 兩個檔案
deb.nodesource.com_node%5f12.x_dists_bionic_InRelease
deb.nodesource.com_node%5f12.x_dists_bionic_main_binary-amd64_Packages
...
# 三個檔案
dl.google.com_linux_chrome_deb_dists_stable_main_binary-amd64_Packages
dl.google.com_linux_chrome_deb_dists_stable_Release
dl.google.com_linux_chrome_deb_dists_stable_Release.gpg
...

區別:在下載時避免競爭情況

The only difference to Release is that the signature is not detached, but within the file. This is a first step towards getting rid of race conditions when updating Packages/Sources files and mirror updates
running

https://lists.debian.org/debian-devel-announce/2009/11/msg00001.html

校驗值MD5

保護apt安全的基礎

debian archive 包含一個Release檔案,隨安裝包一起更新,裡面包含了分發後設資料和Package的MD5

Package檔案裡包含安裝資訊以及安裝檔案的MD5

驗證鏈

1)驗證簽名檔案

簽名檔案用來保證Package檔案的正確性

  • 如果無法下載 Release 檔案或 Release.gpg 簽名無效,則報錯

    W: GPG 錯誤......下列簽名無效 EXPKEYSIG......

    E: 倉庫......沒有數字簽名

    N: 無法安全地用該源進行更新,所以預設禁用該源

    缺少公鑰

  • apt 使用 gpg 來驗證簽名檔案

    1. 獲取金鑰

      預設情況下,Debian 系統會預先安裝一些 Debian Archieve 的公鑰,儲存在 /etc/apt/trusted.gpg檔案中,第三方軟體金鑰需要通過apt-key add [.gpg] 安裝到/etc/apt/sources.list.d/目錄下

      一旦將金鑰新增到apt的金鑰環中,就相當於告訴apt信任該金鑰簽名的一切東西

      如果公鑰丟失,可以通過下面的命令到公鑰伺服器上尋找

      apt-key adv --keyserver <server_url> --recv-key <keyId>

      1. 如果更新失敗可能是防火牆埠問題,嘗試指定常規HTTP埠80

      2. 如果連線的是公司的代理伺服器,可以嘗試下面的方法

         --keyserver-options http-proxy=<myProxy> --keyserver keyserver.ubuntu.com
        
    2. 通過gpgv簽名驗證工具來驗證簽名的有效性

      詳細介紹參見博文GPG配置、命令、例項與apt-key金鑰測試

      • gpgv 認為apt金鑰環中的金鑰都是可信的,不會檢查其是否過期或被吊銷

      • 通過--keyring [.gpg file]指定金鑰環,-v可以顯示更多資訊

        apt 金鑰環儲存在 /etc/apt/trusted.gpg 或 /etc/apt/trusted.gpg.d/xxx.gpg 中

      • 單獨簽名驗證

        gpgv --keyring /etc/apt/trusted.gpg [Release.gpg file] [Release file]

      • 內聯簽名驗證

        gpgv --keyring /etc/apt/trusted.gpg [InRelease file]

2)驗證Package檔案

Package 檔案中包含軟體不同版本的資訊,用來保證deb檔案的正確性

  1. 從Release檔案或InRelease檔案中提取Package檔案的MD5

    sed -n "s,main/binary-amd64/Packages$,,p" [Release / InRelease file]

  2. 計算Package檔案的MD5

    md5sum [Packages file]

3)驗證安裝包

  1. 從Package檔案中提取deb檔案的MD5

    sed -n "s/MD5sum: //p" [Packages file]

  2. 從apt快取中提取軟體的MD5

    apt-cache show [package_name] | sed -n "s/MD5sum: //p"

  3. 計算本地已下載deb檔案的MD5

    md5sum [.deb file]

驗證測試

chrome 驗證

特點

  1. chrome 是Release檔案和簽名檔案[.gpg]分離的
  2. 使用本地金鑰環驗證(儲存在 /etc/apt/trusted.gpg)

官方宣告

https://www.google.com/linuxrepositories/

Release.gpg檔案

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCAAGBQJeqbVjAAoJEHi9ZUc8s70TgUIP/RzWWeDxvtGrmLoWt0csiD+O
wrAr86yDSSzFasjKPcS+SQzs5FnCamFdTT7KD2C6thwRgCLR3oumHMuKC5hnb9/4
GP7qMCDYQEMR2IQcWfKPoT2fAX1eKDKJtv5qsAEdSb3uIW27zkdvUA4j4N6w4toA
RA24VV/VSK1p3T4j3HQzN6fOta0wA3onN9bPrcXZAig7Tm78SKbjYEzd1jxIeQQE
aTKP6AfHPnn8UFNkVyifigsd1Usaex3BJumzHq+jLhTtJDcLjqQNQdcKs48xY0Ek
lZJHY1w/p8e06Y16fXxO/Mh6+Kmu+ZBOKEo3VjshBOISASkMXG/JPEjWadP62A8S
lprRALXaWLcF5P5RYjdqhatCxH37SQr3iqqQmdC/PSCDq/Z5cYiVIElyUeHnMZ6i
X6wYvOd1n9p64VgUAINpbY0NeWZc0Kj1pMXaL+bohUnH8YWDfIhFdQDdQbd0DxBY
xgSTAuUn4DkMKZvtqVEsAIZk5VrYjWykdvdaZad8DdAhVxuHzl1xVEXRDyDhxvUN
IE2oOMv1N5MrXKHtGJLITlv0SAtbZRSaez91dudr9eoln8bZ+oFI9VrHO0xKO2/W
/VRMExkQC51OHCEtZKfsqqSAEG0sctvagq5MElCElZkmD/P72MuznRBgjbfeKs/B
JMSaAmp1mus5Mo7BZND6
=/bSj
-----END PGP SIGNATURE-----                      
驗證簽名
lfp@legion:/var/lib/apt/lists$ gpgv --keyring /etc/apt/trusted.gpg dl.google.com_linux_chrome_deb_dists_stable_Release.gpg dl.google.com_linux_chrome_deb_dists_stable_Release
gpgv: 簽名建立於 2020年04月30日 星期四 01時12分03秒 CST
gpgv:                使用 RSA 金鑰 78BD65473CB3BD13
gpgv: 完好的簽名,來自於“Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>”

Release檔案

包含Package檔案的MD5

Origin: Google LLC
Label: Google
Suite: stable
Codename: stable
Version: 1.0
Date: Wed, 29 Apr 2020 17:11:57 UTC
Architectures: amd64
Components: main
Description: Google chrome-linux software repository
MD5Sum:
 2e55673e5a00d8837090d0922e198520 4599 main/binary-amd64/Packages
 eafbe9cc415e53d2280c86a0d64be27d 1133 main/binary-amd64/Packages.gz
 156e5ea7a0c6bed5973a68a45e546dc9 151 main/binary-amd64/Release
SHA1:
 9525687fab2b772c511c9e9ae5c7c7b6d8b92e2a 4599 main/binary-amd64/Packages
 c364469ff8578e7c7323b030ad3e459b9192a4ea 1133 main/binary-amd64/Packages.gz
 0f4348c2d4d7cc1f8e59b5934d87f1ca872f6e34 151 main/binary-amd64/Release
SHA256:
 667d27f55652d51c57c0eaab074dd2d365e373ebd5b6e1277b18606cc5177c1b 4599 main/binary-amd64/Packages
 7dc589a54517f36e7786b101555e9f1d2c6e2058b1b3743c575eb8c165094620 1133 main/binary-amd64/Packages.gz
 c1e3c9318381862306adcdc4fd4fe2d85be8aa4c4f3dcbb40fce80413f588286 151 main/binary-amd64/Release

提取Package檔案的MD5
lfp@legion:/var/lib/apt/lists$ sed -n "s,main/binary-amd64/Packages$,,p" dl.google.com_linux_chrome_deb_dists_stable_Release
 2e55673e5a00d8837090d0922e198520 4599 
 9525687fab2b772c511c9e9ae5c7c7b6d8b92e2a 4599 
 667d27f55652d51c57c0eaab074dd2d365e373ebd5b6e1277b18606cc5177c1b 4599 

計算Package檔案的MD5
lfp@legion:/var/lib/apt/lists$ md5sum dl.google.com_linux_chrome_deb_dists_stable_main_binary-amd64_Packages 
2e55673e5a00d8837090d0922e198520  dl.google.com_linux_chrome_deb_dists_stable_main_binary-amd64_Packages

Package檔案可信

2e55673e5a00d8837090d0922e198520 一致

Package檔案

包含deb檔案的MD5

# 包含各種版本的chrome
Package: google-chrome-beta
...
Package: google-chrome-stable
Version: 81.0.4044.129-1
Architecture: amd64
Maintainer: Chrome Linux Team <chromium-dev@chromium.org>
Installed-Size: 229948
Pre-Depends: dpkg (>= 1.14.0)
Depends: ca-certificates, fonts-liberation, libappindicator3-1, libasound2 (>= 1.0.16), libatk-bridge2.0-0 (>= 2.5.3), libatk1.0-0 (>= 2.2.0), libatspi2.0-0 (>= 2.9.90), libc6 (>= 2.16), libcairo2 (>= 1.6.0), libcups2 (>= 1.4.0), libdbus-1-3 (>= 1.5.12), libdrm2 (>= 2.4.38), libexpat1 (>= 2.0.1), libgbm1 (>= 8.1~0), libgcc1 (>= 1:3.0), libgdk-pixbuf2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.39.4), libgtk-3-0 (>= 3.9.10), libnspr4 (>= 2:4.9-2~), libnss3 (>= 2:3.22), libpango-1.0-0 (>= 1.14.0), libpangocairo-1.0-0 (>= 1.14.0), libx11-6 (>= 2:1.4.99.1), libx11-xcb1, libxcb-dri3-0, libxcb1 (>= 1.6), libxcomposite1 (>= 1:0.3-1), libxcursor1 (>> 1.1.2), libxdamage1 (>= 1:1.1), libxext6, libxfixes3 (>= 1:5.0), libxi6 (>= 2:1.2.99.4), libxrandr2 (>= 2:1.2.99.3), libxrender1, libxss1, libxtst6, wget, xdg-utils (>= 1.0.2)
Recommends: libu2f-udev, libvulkan1
Provides: www-browser
Priority: optional
Section: web
Filename: pool/main/g/google-chrome-stable/google-chrome-stable_81.0.4044.129-1_amd64.deb
Size: 67137920
SHA256: fe140112304b243240a5f6b287105fd5b7d6e48c6ff682194a62c8d08fd0ed5b
SHA1: f5f984d1a1419b803a7a26dbda1d04fb8313c4b3
# md5
MD5sum: 3705bb8b32a9b4cfcc4440c14966acbc
Description: The web browser from Google
 Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.

Package: google-chrome-unstable
...
提取deb檔案的MD5
lfp@legion:/var/lib/apt/lists$ sed -n "s/MD5sum: //p" dl.google.com_linux_chrome_deb_dists_stable_main_binary-amd64_Packages 
9c6634a7bbda0cedb2d218410c0a06c2
3705bb8b32a9b4cfcc4440c14966acbc
fe9bc72b7cb12549a69187c0e393f930
從apt快取中提取chrome資訊
lfp@legion:/var/lib/apt/lists$ apt-cache show chromium-browser | sed -n "s/MD5sum: //p"
# 沒有匹配的md5,開啟瀏覽器,檢視chrome的版本資訊是:版本 81.0.4044.129(正式版本) (64 位)
# apt-cache show chromium-browser 顯示資訊如下,沒有找到同一個版本,於是從Google下載了一個最新的安裝包
# Package: chromium-browser
# Filename: pool/universe/c/chromium-browser/chromium-browser_80.0.3987.163-0ubuntu0.18.04.1_amd64.deb
6dcd58431410a691c847a709765f7248
dfd394ff98654f1e0a97d204f7343ab1
計算deb檔案的MD5

從Google那裡下載了一個deb安裝包

lfp@legion:~/Downloads$ md5sum google-chrome-stable_current_amd64.deb 
3705bb8b32a9b4cfcc4440c14966acbc  google-chrome-stable_current_amd64.deb
deb檔案可信

3705bb8b32a9b4cfcc4440c14966acbc 一致

nodejs驗證

特點

  1. nodejs 是InRelease檔案,內聯簽名
  2. 使用本地金鑰環驗證(儲存在 /etc/apt/trusted.gpg)

InRelease檔案

包含Package檔案的MD5

驗證簽名
lfp@legion:/var/lib/apt/lists$ gpgv --keyring /etc/apt/trusted.gpg deb.nodesource.com_node%5f12.x_dists_bionic_InRelease 
gpgv: 簽名建立於 2020年04月30日 星期四 00時53分13秒 CST
gpgv:                使用 RSA 金鑰 9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280
gpgv: 完好的簽名,來自於“NodeSource <gpg@nodesource.com>”

lfp@legion:/var/lib/apt/lists$ vim deb.nodesource.com_node%5f12.x_dists_bionic_InRelease

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Origin: Node Source
Label: Node Source
Codename: bionic
Date: Wed, 29 Apr 2020 16:53:13 UTC
Architectures: i386 amd64 armhf arm64
Components: main
Description: Apt Repository for the Node.JS 12.x Branch
MD5Sum:
 d41d8cd98f00b204e9800998ecf8427e 0 main/binary-i386/Packages
 7029066c27ac6f5ef18d660d5741979a 20 main/binary-i386/Packages.gz
 cf52b42ebdc37bfabc86a5db93fcbdbc 130 main/binary-i386/Release
 # amd64
 6d2cd675d3c647d51a8ee0349754a976 1195 main/binary-amd64/Packages
 608cc59026b960ec64b97bcbeaa68003 765 main/binary-amd64/Packages.gz
 049fa528953b36ae91d8fe360618d46f 131 main/binary-amd64/Release
 14ce3c619a83d518ee3e433dedbdf26a 1216 main/binary-armhf/Packages
 219c6a1d7d300d409d4bb8249911d58f 775 main/binary-armhf/Packages.gz
 8064ccb91382a3c1cbade0c462ee18b3 131 main/binary-armhf/Release
 45ad97bad6053d65a462c352219fa962 1195 main/binary-arm64/Packages
 8afb33e583bf54aabaeb9b3378c3ca26 766 main/binary-arm64/Packages.gz
 670d019ad65bf455298c252afc334bff 131 main/binary-arm64/Release
 d41d8cd98f00b204e9800998ecf8427e 0 main/source/Sources
 7029066c27ac6f5ef18d660d5741979a 20 main/source/Sources.gz
 e4627d3fe224f8b3c07d9a69c88bedd2 132 main/source/Release

提取Package檔案的MD5
sed -n "s,main/binary-amd64/Packages$,,p" deb.nodesource.com_node%5f12.x_dists_bionic_InRelease 
 6d2cd675d3c647d51a8ee0349754a976 1195 
 4615cf89691b8c95c052a84b09a1d24079268403 1195 
 8ec2d3674dc82a29ca759a2cf59cfe67a2b6c3a42106c523b11f93791a1e538e 1195 
計算Package檔案的MD5
lfp@legion:/var/lib/apt/lists$ md5sum deb.nodesource.com_node%5f12.x_dists_bionic_main_binary-amd64_Packages 
6d2cd675d3c647d51a8ee0349754a976  deb.nodesource.com_node%5f12.x_dists_bionic_main_binary-amd64_Packages
Package檔案可信

6d2cd675d3c647d51a8ee0349754a976 一致

Package檔案

包含deb檔案的MD5

Package: nodejs
Version: 12.16.3-1nodesource1
Architecture: amd64
Maintainer: Chris Lea <chl@nodesource.com>
Installed-Size: 87857
Depends: libc6 (>= 2.17), libgcc1 (>= 1:3.4), libstdc++6 (>= 4.8), python-minimal, ca-certificates
Conflicts: nodejs-dev, nodejs-legacy, npm
Replaces: nodejs-dev (<= 0.8.22), nodejs-legacy, npm (<= 1.2.14)
Provides: nodejs-dev, nodejs-legacy, npm
Homepage: https://nodejs.org
Priority: optional
Section: web
Filename: pool/main/n/nodejs/nodejs_12.16.3-1nodesource1_amd64.deb
Size: 17989662
SHA256: b2d1a6327f5a34c097d7fb5eeed8357d9758c09b30e356f45dfa01cc24103108
SHA1: de90a1776ee9995b3121ab68f49fef3cb110ce65
MD5sum: 9f87646d2782a572da1f965cf96f974f
Description: Node.js event-based server-side javascript engine
 Node.js is similar in design to and influenced by systems like
 Ruby's Event Machine or Python's Twisted.
 .
 It takes the event model a bit further - it presents the event
 loop as a language construct instead of as a library.
 .
 Node.js is bundled with several useful libraries to handle server tasks :
 System, Events, Standard I/O, Modules, Timers, Child Processes, POSIX,
 HTTP, Multipart Parsing, TCP, DNS, Assert, Path, URL, Query Strings.

提取deb檔案的MD5
lfp@legion:/var/lib/apt/lists$ sed -n "s/MD5sum: //p" deb.nodesource.com_node%5f12.x_dists_bionic_main_binary-amd64_Packages 
9f87646d2782a572da1f965cf96f974f
從apt快取中提取nodejs資訊
lfp@legion:/var/lib/apt/lists$ apt-cache show nodejs | sed -n "s/MD5sum: //p"
# 包含不同版本的資訊
9f87646d2782a572da1f965cf96f974f
0e6643fbe872255dbfaebd5449813d8f
02d7a42a30a7d72b78d9bc4a7ceb5a5a
3930b41c309e69cc0bd3737cfc1e7d31
計算deb檔案的md5
lfp@legion:/var/lib/apt/lists$ md5sum /var/cache/apt/archives/nodejs_12.16.3-1nodesource1_amd64.deb 
9f87646d2782a572da1f965cf96f974f  /var/cache/apt/archives/nodejs_12.16.3-1nodesource1_amd64.deb
deb檔案可信

9f87646d2782a572da1f965cf96f974f 一致

smplayer 驗證

特點

  1. smplayer 是InRelease檔案,內聯簽名
  2. 使用第三方金鑰環去驗證(儲存在/etc/apt/trusted.gpg.d目錄中)

驗證流程

  1. 簽名

    lfp@legion:/var/lib/apt/lists$ gpgv --keyring /etc/apt/trusted.gpg.d/rvm_ubuntu_smplayer.gpg ppa.launchpad.net_rvm_smplayer_ubuntu_dists_bionic_InRelease 
    gpgv: 簽名建立於 2020年04月13日 星期一 23時45分47秒 CST
    gpgv:                使用 RSA 金鑰 A7E13D78E4A4F4F4
    gpgv: 完好的簽名,來自於“Launchpad PPA named smplayer for rvm”
    
  2. Package

    MD5 7aa109a3525c661e783e9b943e4b46fa

    lfp@legion:/var/lib/apt/lists$ sed -n "s,main/binary-amd64/Packages$,,p" ppa.launchpad.net_rvm_smplayer_ubuntu_dists_bionic_InRelease 
     7aa109a3525c661e783e9b943e4b46fa             2909 
     29ca94a4f3a57c328b31789bce66cd6bbaa819e2             2909 
     6586e6ef8389cddb47ae0f7f7761ddbfedab35ed3ffbb3b10b4a1f91264577ae             2909 
    
    lfp@legion:/var/lib/apt/lists$ md5sum ppa.launchpad.net_rvm_smplayer_ubuntu_dists_bionic_main_binary-amd64_Packages 
    7aa109a3525c661e783e9b943e4b46fa  ppa.launchpad.net_rvm_smplayer_ubuntu_dists_bionic_main_binary-amd64_Packages
    
  3. deb

    MD5 601afc2fe220b608acb1e5b920afca96

    lfp@legion:/var/lib/apt/lists$ sed -n "s/MD5sum: //p" ppa.launchpad.net_rvm_smplayer_ubuntu_dists_bionic_main_binary-amd64_Packages 
    601afc2fe220b608acb1e5b920afca96
    b569cc540016f0b04fae5dd15a1434eb
    4eb1111c66b5087e7489cf7526321a9e
    45a466ca713b566f920d9e6414212552
    
    lfp@legion:/etc/apt/trusted.gpg.d$ apt-cache show smplayer | grep -E 'MD5|Filename'
    Filename: pool/main/s/smplayer/smplayer_20.4.2-1~bionic1_amd64.deb
    MD5sum: 601afc2fe220b608acb1e5b920afca96
    Filename: pool/universe/s/smplayer/smplayer_18.2.2~ds0-1_amd64.deb
    MD5sum: 7fdfc2f64d835cf5f7a38035523379a2
    
    lfp@legion:/var/cache/apt/archives$ md5sum smplayer_20.4.2-1~bionic1_amd64.deb 
    601afc2fe220b608acb1e5b920afca96  smplayer_20.4.2-1~bionic1_amd64.deb
    

沒有公鑰或簽名無效測試

  1. 本地沒有該公鑰

  2. 本地公鑰過期

    猜測:此時軟體釋出者應該會建立一個新的子金鑰來簽名,而本地公鑰是過期的,情況類似於用一個錯誤的金鑰驗證簽名檔案

    # 使用錯誤的金鑰去驗證簽名檔案
    lfp@legion:~$ gpgv --keyring /etc/apt/trusted.gpg.d/sogou-archive-keyring.gpg /var/lib/apt/lists/typora.io_linux_._InRelease 
    gpgv: 簽名建立於 2020年03月04日 星期三 00時11分02秒 CST
    gpgv:                使用 RSA 金鑰 4AC441BE68B4ADAB7439FBF9BA300B7755AFCFAE
    gpgv:                issuer "abner@typora.io"
    gpgv: 無法檢查簽名:沒有公鑰
    

相關問題

EXPKEYSIG 沒有數字簽名

問題:執行apt update 出現如下錯誤

W: GPG 錯誤:https://dl.yarnpkg.com/debian stable InRelease: 下列簽名無效: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx
E: 倉庫 “https://dl.yarnpkg.com/debian stable InRelease” 沒有數字簽名。
N: 無法安全地用該源進行更新,所以預設禁用該源

原因:

安裝第三方軟體的時候會同時安裝軟體倉庫地址以及金鑰,上述問題是因為本地的金鑰過期了,需要更新

https://github.com/yarnpkg/yarn/issues/7866#issue-558663837

辦法:更新金鑰

  1. 找到該軟體安裝方法中新增金鑰的方式(如yarn的安裝步驟一),再次執行即可

  2. 直接搜尋金鑰新增到金鑰列表

    apt-key adv --keyserver <server_url> --recv-key <keyId>
    
  3. 到伺服器找金鑰手動安裝

    1. 獲取 pub_key的ID

      23E7166788B63E1E

    2. 金鑰伺服器上以十六進位制形式搜尋

      http://keyserver.ubuntu.com/

      0x23E7166788B63E1E

    3. 單擊 pub連結,複製金鑰內容並儲存到本地,以txt格式

      key.txt

      金鑰內容

    4. 終端新增金鑰

      sudo apt-key add key.txt

      ok

    5. 更新

      sudo apt update

相關文章